Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

send dns requests through tor

Browse source
This commit is contained in:
Grimmauld 2025-02-20 14:50:22 +01:00
parent 31e1aba73f
commit acf263db0f
No known key found for this signature in database
10 changed files with 66 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
common/firefox.nix
View file

@ -67,6 +67,7 @@ in
"network.connectivity-service.DNSv6.domain" = "::1";
network.dns.localDomains = "::1";
network.dns.forceResolve = true;
"media.peerconnection.enabled" = false;
"media.rdd-ffmpeg.enabled" = true;
"media.navigator.mediadatadecoder_vpx_enabled" = true;
} // optionalAttrs sway.enable { "browser.tabs.inTitlebar" = 0; };

3
custom/confwhich/package.nix
View file

@ -15,7 +15,8 @@ rustPlatform.buildRustPackage {
hash = "sha256-dMkUJMQjlKzmSsgtH0xOZ5Bk654+h84M1cTx8hVM5SQ=";
};
cargoHash = "sha256-cn9vtRO+negpIVs0rnp2y5q7L4w554dfBK9MtbWd8FA=";
useFetchCargoVendor = true;
cargoHash = "sha256-YSi7sObmclTR6BSQPSN54/2aurXxCl/q2i8hutlJXkw=";
meta = {
description = "tool to find the path of xdg config files";

3
custom/rfindup/package.nix
View file

@ -15,7 +15,8 @@ rustPlatform.buildRustPackage {
hash = "sha256-nbC/nM6orM19Qh/1bpN6gxOqvhCO4cVBumgEFl9G4Rs=";
};
cargoHash = "sha256-l7uRTGV2iYbWbJSvs+YHwMSYmVW3FHa7sgbO2mub7a0=";
useFetchCargoVendor = true;
cargoHash = "sha256-S+NpQti2fgaz1UogqXbo+1mgkmetf/brQFcDrW00ZiU=";
meta = {
description = "tool to find files by name in parent directories";

2
hardening/apparmor/default.nix
View file

@ -42,7 +42,7 @@ in
spotify = "enforce";
"thunderbird.apparmor.d" = "enforce";
xdg-open = "enforce";
child-open-any = "enforce";
# child-open-any = "enforce";
child-open = "enforce";
firefox-glxtest = "enforce";
firefox-vaapitest = "enforce";

1
hardening/default.nix
View file

@ -68,7 +68,6 @@
systemd.tpm2.enable = false;
systemd.enableEmergencyMode = false;
virtualisation.vswitch.enable = false;
services.resolved.enable = false;
security.unprivilegedUsernsClone = true;
security.apparmor.enable = true;
security.allowSimultaneousMultithreading = true;

20
hardening/encrypt-dns.nix
View file

@ -2,11 +2,23 @@
{
networking = {
nameservers = lib.mkForce [ "127.0.0.1" "::1" ];
# nameservers = lib.mkForce [ "127.0.0.1:8053" "[::1]:8053" ];
dhcpcd.extraConfig = "nohook resolv.conf"; # dhcp
networkmanager.dns = "none"; # nm
resolvconf.useLocalResolver = true; # resoved
};
services.tor = {
enable = true;
client.enable = true;
torsocks = {
enable = true;
allowInbound = false;
};
settings.SafeSocks = true;
settings.TestSocks = true;
};
services.dnscrypt-proxy2 = {
enable = true;
settings = {
@ -18,20 +30,22 @@
odoh_servers = false;
require_nolog = true;
require_nofilter = true;
listen_addresses = [ "127.0.0.1:53" ];
proxy = "socks5://${config.services.tor.torsocks.server}";
force_tcp = true;
sources.public-resolvers = let
serverList = pkgs.fetchurl {
# fetching during build prevents issues e.g. when the certificate can't be validated if the clock is wrong
url = "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md";
hash = "sha256-NrcMn57GS38qrE7f6GYcdUJCMAr9drl57omVnuS6oEU=";
hash = "sha256-2Pjs37mMolfWaaTf2c+tTbc1mzjCncK9qLyyZJn0LgA=";
};
in {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
# "file://${serverList}"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
cache_file = serverList;
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};

1
hardening/opensnitch/default.nix
View file

@ -30,6 +30,7 @@ in
./firefox.nix
./tooling.nix
./dns.nix
./tor.nix
];
config = mkIf (enable && tooling.enable && network) {

7
hardening/opensnitch/nix.nix
View file

@ -72,13 +72,6 @@ in
operand = "dest.port";
data = "443";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = "(channels|cache)\\.nixos\\.org";
}
];
};
};

37
hardening/opensnitch/tor.nix Normal file
View file

@ -0,0 +1,37 @@
{
config,
lib,
...
}:
let
inherit (config.grimmShared)
enable
tooling
network
;
inherit (lib)
mkIf
;
created = "1970-01-01T00:00:00.0+00:00";
in
{
config = mkIf (enable && tooling.enable && network) {
services.opensnitch.rules = {
tor = mkIf (config.services.tor.enable) {
name = "tor";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = lib.getExe' config.services.tor.package "tor";
};
};
};
};
}

10
hardening/opensnitch/vesktop.nix
View file

@ -33,7 +33,7 @@ in
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
};
};
@ -52,7 +52,7 @@ in
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
}
{
type = "lists";
@ -78,7 +78,7 @@ in
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "simple";
@ -105,7 +105,7 @@ in
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
};
};
@ -124,7 +124,7 @@ in
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
data = "${escapeRegex "${pkgs.electron}"}/libexec/electron/.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "lists";